Tuesday, April 21, 2009

From Identity Service Provider to Identity Provider Service!

I had the pleasure of meeting one of my identity heros at ESAF on Monday; Kim Cameron. It went well and truly made up for my trip to PARSIFAL, where I had been told he was going to present, I did however meet the EU Information Commissioner at PARSIFAL though, and discussed with him the importance of Cloud Based Identity. This initiated the seed growing.

At ESAF I also bumped into a number of other potential Cloud Based Identity Players. The result of the interaction with Kim created a massive brain explosion. The result two words swapped places. Seems such a minor result when stated like that! :-(
But Identity Service Provider became Identity Provider Service! (IPS)

Definition: An Identity Provider Service, is a Cloud Based Identity Service Model that allows any individual, leader of a group or organisation to create identities for themselves or their members. Allowing the management of the Identities in such a manner that they can be simply used by and within the group or organisation, or can be raised to a level of trust whereby they can be consumed by third parties, and as a result the Identity Provider and Identity Provider Service can recieve a revenue.

The following Graphic attempts to capture the concepts that were borne in my mind, undoubtedly the result of reading what many others have written on the topic and watching the Dick Hardts Identity 2.0 Video (he's my other Identity Hero, how can I properly cite all the folks who helped create conditions for the two words to swap! My friends at the Jericho Forum undoubtedly played a key part, especially Steve, Paul and Andrew. I am confident that the LEF Cloud Study Tour also had an impact. So I lay these out for the world to consume in an OPEN Manner. In the hope that a new Identity Provider Service Model will result.



Imagine the three Customer, Professional and Organisation components as Blimps floating atop the Identity, Claims, & Access Management landscape. They will be populated with Personas with Claims that need to be verified. These claims could either be self asserted or verified in the "New Cloud based Identity Provider Service" approach ie the Scout Leader or the BMA said they were they accurate claims!

I see the Identity Provider Service being delivered at varying levels of trust, Self Asserted (Free), Group Leader Asserted (Free with Certificates), or Organisational Assertion (One Off Fee with Certificates), and Authenticated Organisational Assertion (higher One Off fee with additional means of authentication) Payment is made by the consumer of the identity in the latter two cases on a transaction basis (think credit card transactions) and this payment is split between the Identity Provider Service and the Identity Provider.

Expanding the example the Boy Scouts of America may choose to allow each Troop Leader to publish their own Troops Identity or negotiate a higher Trust Level with IPS and issue Certificated Authenticated Identities for which they will receive revenue when the Identities are used/trusted by third parties. The Identity Provider Service would operate like Mastercard/Visa charging a verification fee that rises dependant upon the the level of Claims being Made and the Risks involved in the transaction.

The British Medical Association could choose to issue an electronic identity to its Doctors using this Identity Provider Service approach and recieve a revenue from the organisations that consumed the Doctors Identities that naturally came with a verified Claim that they were a Practising Doctor (Meta Data of the Claim to be determined)
NB In this new IPS Model all parties would need to determine HOW the Identity Risk is shared. The BSA would be the Identity Provider. IBM, PayPal, Microsoft, RSA could provide the Identity Provider Service following a standard approach. Lots of legal and compliance stuff to be sorted!

But in the meantime it could start small, I would use the service to publish Information Cards (for that feels like the best form in which to create the Identities) for my friends and family so that we could all safely interact on the Web.

I wouldn't buy a "Geneva Server" to do that but I would certainly sign up to the first IPS that would allow me to publish such Information Cards.

After the concept takes off, I predict an early explosion of Identity Provider Services followed by a shake out that would reduce to 3 maybe 4 providers within 3-5 Years. The number of Identity Providers would remain large. In comparison to the Credit Card Model, I can get a Credit Card from the Royal Society for the Protection of Birds! Why? because they earn revenue from it... I'd quite like an RSPB Identity for my Twitcher Persona!!!!

Alternatively we could continue populating the Blimps from the Enterprise Centric Model, more costly and less effective. Please NO!

I propose the population of the Group, Organisation and Professional Blimps ahead of the population of the Customer Blimp, ultimately these three Blimps will merge. Initially Enterprises will think they want Enterprise issued Identities to fill the Customer Blimp using this new Cloud Identity Service Model but eventually we will get that the other Identities are cheaper and more reliable!

Needs far more thought, for 'tis early in the morning...

But I just had to share!!!